Back to Dashboard
Module 38
802.1X and Network Access Control (NAC)
β Previous Module
Next Module β
# π CCNA 200-301 - Video 38: 802.1X and Network Access Control (NAC) ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - What 802.1X is and why it's used - 802.1X architecture (Supplicant, Authenticator, Authentication Server) - EAP (Extensible Authentication Protocol) types - 802.1X configuration on Cisco switches - Network Access Control (NAC) concepts - MAB (MAC Authentication Bypass) - 802.1X verification and troubleshooting --- ## π§ Core Concepts ### 1. What is 802.1X? **Definition:** IEEE 802.1X is a port-based network access control standard that provides authentication for devices trying to connect to a LAN or WLAN. It prevents unauthorized devices from accessing the network until they successfully authenticate. **Analogy:** Think of 802.1X like a security guard at a building entrance. You must show your badge (credentials) before you're allowed to enter. If you can't authenticate, you're kept in the lobby (unauthenticated VLAN) or denied entry entirely. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β 802.1X ARCHITECTURE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β BEFORE AUTHENTICATION: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Supplicant Authenticator Authentication Server β β β β (Client Device) (Switch) (RADIUS Server) β β β β β β β β βββββββββββ βββββββββββ βββββββββββ β β β β β PC β β Switch β β RADIUS β β β β β β β β β β Server β β β β β ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ β β β β β β β β β β β β Unauthorized β β β β β β β (No access) β β β β β β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β AFTER AUTHENTICATION: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Supplicant Authenticator Authentication Server β β β β (Client Device) (Switch) (RADIUS Server) β β β β β β β β βββββββββββ βββββββββββ βββββββββββ β β β β β PC ββββββββββ Switch ββββββββββ RADIUS β β β β β β β β β β Server β β β β β βββββββββββ ββββββ¬βββββ βββββββββββ β β β β β β β β β β Authorized Access β β β β βΌ β β β β Corporate Network β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. 802.1X Components | Component | Description | Example | |-----------|-------------|---------| | **Supplicant** | Client device requesting network access | PC with 802.1X supplicant (Windows, macOS, Linux) | | **Authenticator** | Network device controlling port access | Cisco switch, wireless controller | | **Authentication Server** | Validates credentials | RADIUS server (Cisco ISE, FreeRADIUS, Windows NPS) | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β 802.1X COMMUNICATION FLOW β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Supplicant Authenticator Authentication Server β β (Client) (Switch) (RADIUS) β β β β β β β β β β 1. EAPoL-Start β β β β β βββββββββββββββββββββββΊ β β β β β (EAP over LAN) β β β β β β β β β β 2. EAP-Request/Identity β β β β β βββββββββββββββββββββββ β β β β β β β β β β 3. EAP-Response/Identityβ β β β β βββββββββββββββββββββββΊ β β β β β β β β β β β 4. RADIUS Access-Requestβ β β β β βββββββββββββββββββββββΊ β β β β β β β β β β 5. RADIUS Access-Challenge β β β β βββββββββββββββββββββββ β β β β β β β β β 6. EAP-Request (Method) β β β β β βββββββββββββββββββββββ β β β β β β β β β β 7. EAP-Response (Method)β β β β β βββββββββββββββββββββββΊ β β β β β β β β β β β 8. RADIUS Access-Request β β β β βββββββββββββββββββββββΊ β β β β β β β β β β 9. RADIUS Access-Accept β β β β βββββββββββββββββββββββ β β β β β β β β β 10. EAP-Success β β β β β βββββββββββββββββββββββ β β β β β β β β β β 11. Port Authorized β β β β β β β β β β β EAPoL = EAP over LAN (Ethernet frames) β β RADIUS uses UDP 1812/1813 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 3. EAP (Extensible Authentication Protocol) Types | EAP Type | Description | Security | Use Case | |----------|-------------|----------|----------| | **EAP-MD5** | Username/password with MD5 hash | Weak | Legacy | | **EAP-TLS** | Certificate-based mutual authentication | Strong | Corporate (requires PKI) | | **EAP-TTLS** | Tunneled TLS (inner authentication) | Strong | Corporate, BYOD | | **PEAP** | Protected EAP (inner authentication) | Strong | Windows, Cisco, BYOD | | **EAP-FAST** | Flexible Authentication via Secure Tunneling | Strong | Cisco, BYOD | | **LEAP** | Lightweight EAP (Cisco proprietary) | Weak | Legacy Cisco | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β EAP METHODS COMPARISON β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β EAP-MD5: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Username/password β β β β β’ No server certificate validation β β β β β’ Weak security - not recommended β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β PEAP (Protected EAP): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ TLS tunnel established first β β β β β’ Server certificate required β β β β β’ Inner authentication: MSCHAPv2 (password) or TLS (certificate) β β β β β’ Most common for Windows and Cisco devices β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β EAP-TLS: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Mutual certificate authentication β β β β β’ Strongest security β β β β β’ Requires PKI infrastructure β β β β β’ No passwords involved β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 4. 802.1X Port States | State | Description | |-------|-------------| | **Unauthorized** | Port is blocked; only EAPoL and CDP traffic allowed | | **Authorized** | Port is open; normal traffic allowed | | **Force-Authorized** | Port always open (no authentication) | | **Force-Unauthorized** | Port always blocked | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β 802.1X PORT STATES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Before Authentication: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Switch Port (Unauthorized) β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β Allowed: EAPoL, CDP β β β β β β Blocked: All other traffic (IP, ARP, etc.) β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β After Successful Authentication: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Switch Port (Authorized) β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β Allowed: All traffic β β β β β β VLAN assigned (from RADIUS or configured) β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 5. 802.1X Configuration (Switch) **Basic 802.1X Configuration:** ```cisco ! Enable AAA Switch(config)# aaa new-model ! Configure RADIUS server Switch(config)# radius server RADIUS1 Switch(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 Switch(config-radius-server)# key SecureRadiusKey123 Switch(config-radius-server)# exit ! Configure RADIUS server group Switch(config)# aaa group server radius RADIUS-GROUP Switch(config-sg-radius)# server name RADIUS1 Switch(config-sg-radius)# exit ! Configure 802.1X authentication Switch(config)# aaa authentication dot1x default group RADIUS-GROUP ! Enable 802.1X globally Switch(config)# dot1x system-auth-control ! Configure interface for 802.1X Switch(config)# interface FastEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# authentication port-control auto Switch(config-if)# dot1x pae authenticator Switch(config-if)# dot1x timeout tx-period 30 Switch(config-if)# dot1x max-req 3 Switch(config-if)# exit ``` --- ### 6. 802.1X with VLAN Assignment **Dynamic VLAN Assignment (RADIUS returns VLAN):** ```cisco ! Switch configuration Switch(config)# interface FastEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# authentication port-control auto Switch(config-if)# dot1x pae authenticator ! RADIUS server returns VLAN ID ! Example RADIUS attribute: Tunnel-Private-Group-ID = 10 ``` **Fallback VLAN Configuration:** ```cisco ! Configure guest VLAN for unauthenticated devices Switch(config)# interface FastEthernet0/1 Switch(config-if)# authentication event server dead action authorize vlan 99 Switch(config-if)# authentication event no-response action authorize vlan 99 Switch(config-if)# authentication event server alive action reinitialize ! Configure critical VLAN for RADIUS server failure Switch(config)# interface FastEthernet0/1 Switch(config-if)# authentication event server dead action authorize vlan 100 ``` --- ### 7. MAB (MAC Authentication Bypass) **Definition:** MAB allows devices that don't support 802.1X to authenticate using their MAC address. The switch sends the MAC address as the username and password to the RADIUS server. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β MAC AUTHENTICATION BYPASS (MAB) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Use Case: Printers, IP phones, IoT devices (no 802.1X support) β β β β Process: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Device connects β Switch detects MAC β RADIUS request β β β β β β β β RADIUS Access-Request: β β β β Username: aa:bb:cc:dd:ee:ff β β β β Password: aa:bb:cc:dd:ee:ff β β β β β β β β RADIUS Access-Accept β Port authorized β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **MAB Configuration:** ```cisco ! Enable MAB on interface Switch(config)# interface FastEthernet0/1 Switch(config-if)# authentication port-control auto Switch(config-if)# mab Switch(config-if)# authentication order dot1x mab Switch(config-if)# authentication priority dot1x mab ``` --- ### 8. 802.1X with Multiple Authentication Methods **Authentication Order and Priority:** ```cisco ! Configure authentication order (try 802.1X first, then MAB) Switch(config)# interface FastEthernet0/1 Switch(config-if)# authentication order dot1x mab ! Configure authentication priority (use 802.1X for authorized, MAB as fallback) Switch(config-if)# authentication priority dot1x mab ! Configure fallback to MAB if 802.1X times out Switch(config-if)# authentication event no-response action authorize mab ``` --- ### 9. 802.1X Timers | Timer | Default | Description | |-------|---------|-------------| | `tx-period` | 30 seconds | Time between EAP-Request retransmissions | | `quiet-period` | 60 seconds | Time to wait after failed authentication | | `reauth-period` | 3600 seconds | Time between re-authentications | | `supp-timeout` | 30 seconds | Time to wait for supplicant response | ```cisco ! Configure 802.1X timers Switch(config)# interface FastEthernet0/1 Switch(config-if)# dot1x timeout tx-period 30 Switch(config-if)# dot1x timeout quiet-period 60 Switch(config-if)# dot1x timeout reauth-period 3600 Switch(config-if)# dot1x timeout supp-timeout 30 ! Enable periodic re-authentication Switch(config-if)# dot1x reauthentication ``` --- ### 10. 802.1X Verification Commands | Command | Purpose | |---------|---------| | `show dot1x` | Display 802.1X global status | | `show dot1x interface [int]` | Display 802.1X interface status | | `show authentication sessions` | Display active authentication sessions | | `show authentication interface [int]` | Display interface authentication status | | `show radius statistics` | Display RADIUS statistics | | `debug dot1x events` | Debug 802.1X events | | `debug authentication feature` | Debug authentication features | **Example Outputs:** ```cisco Switch# show dot1x interface fastEthernet 0/1 Dot1x Info for FastEthernet0/1 ------------------------------------------- PAE = Authenticator PortControl = Auto ControlDirection = Both HostMode = Single Host ReAuthentication = Enabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 MaxReq = 2 TxPeriod = 30 ``` ```cisco Switch# show authentication sessions Interface MAC Address Method Domain Status Session ID Fa0/1 aaaa.bbbb.cccc dot1x DATA Authz Success 0A12345678 Switch# show authentication interface fastEthernet 0/1 Interface: FastEthernet0/1 Status: Authorized Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: N/A Session Uptime: 1h 23m Common Session ID: 0A12345678 Acct Session ID: 0x00000001 Handle: 0x0C000001 Current Policy: POLICY_1 Local Policies: Not Applied Server Policies: Not Applied Method status list: Method State dot1x Authc Success ``` --- ### 11. Network Access Control (NAC) Concepts **Definition:** Network Access Control is a broader security concept that ensures devices meet security policies before being granted network access. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β NAC (Network Access Control) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β NAC Components: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β βββββββββββββββββββ β β β β β Posture β β’ Check antivirus, patches, OS version β β β β β Assessment β β’ Validate device compliance β β β β βββββββββββββββββββ β β β β β β β β βββββββββββββββββββ β β β β β Remediation β β’ Quarantine non-compliant devices β β β β β Network β β’ Provide remediation portal β β β β βββββββββββββββββββ β β β β β β β β βββββββββββββββββββ β β β β β Guest Access β β’ Temporary access for visitors β β β β β β β’ Limited network resources β β β β βββββββββββββββββββ β β β β β β β β βββββββββββββββββββ β β β β β BYOD Support β β’ Personal devices β β β β β β β’ Onboarding portal β β β β βββββββββββββββββββ β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Cisco ISE (Identity Services Engine): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Cisco's NAC solution β β β β β’ Provides 802.1X authentication β β β β β’ Posture assessment β β β β β’ Guest access management β β β β β’ BYOD onboarding β β β β β’ Profiling (identify device types) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 12. 802.1X Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **No Authentication** | Port remains unauthorized | Check `dot1x system-auth-control`, interface config | | **RADIUS Unreachable** | Authentication fails | Verify RADIUS server IP, shared secret, network connectivity | | **Certificate Issues** | EAP-TLS/PEAP fails | Check certificate validity, trust chain | | **Client Not Responding** | Timeout errors | Verify client 802.1X supplicant enabled, correct settings | | **Wrong VLAN** | Device gets wrong VLAN | Check RADIUS VLAN attribute, switch VLAN configuration | | **MAB Failing** | MAC not authenticated | Verify MAC in RADIUS database, MAB enabled on interface | **Troubleshooting Commands:** ```cisco ! Check 802.1X status Switch# show dot1x interface fastEthernet 0/1 Switch# show authentication interface fastEthernet 0/1 ! Test RADIUS connectivity Switch# test aaa group radius user pass new-code ! Debug authentication Switch# debug authentication feature Switch# debug dot1x events Switch# debug radius ! Clear authentication session Switch# clear authentication interface fastEthernet 0/1 ``` --- ## π§ Complete Configuration Examples ### Lab 1: Basic 802.1X with RADIUS **Topology:** ``` PC (Supplicant) ββββββ Switch (Authenticator) ββββββ RADIUS Server ``` **Switch Configuration:** ```cisco hostname Switch ! ! Enable AAA aaa new-model ! ! Configure RADIUS server radius server RADIUS1 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 key CiscoISE123 ! ! Configure RADIUS group aaa group server radius RADIUS-GROUP server name RADIUS1 ! ! Configure 802.1X authentication aaa authentication dot1x default group RADIUS-GROUP ! ! Enable 802.1X globally dot1x system-auth-control ! ! Configure interface interface FastEthernet0/1 switchport mode access authentication port-control auto dot1x pae authenticator ! end ``` --- ### Lab 2: 802.1X with Guest and Critical VLANs **Switch Configuration:** ```cisco hostname Switch ! aaa new-model ! radius server RADIUS1 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 key CiscoISE123 ! aaa group server radius RADIUS-GROUP server name RADIUS1 ! aaa authentication dot1x default group RADIUS-GROUP ! dot1x system-auth-control ! ! Create VLANs vlan 10 name Corporate ! vlan 20 name Guest ! vlan 30 name Critical ! ! Configure interface with fallback VLANs interface FastEthernet0/1 switchport mode access authentication port-control auto authentication event server dead action authorize vlan 30 authentication event no-response action authorize vlan 20 dot1x pae authenticator ! end ``` --- ### Lab 3: 802.1X with MAB for Printers **Switch Configuration:** ```cisco hostname Switch ! aaa new-model ! radius server RADIUS1 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 key CiscoISE123 ! aaa group server radius RADIUS-GROUP server name RADIUS1 ! aaa authentication dot1x default group RADIUS-GROUP ! dot1x system-auth-control ! ! Configure interface with 802.1X and MAB interface FastEthernet0/1 switchport mode access authentication port-control auto authentication order dot1x mab authentication priority dot1x mab authentication event no-response action authorize mab mab dot1x pae authenticator ! end ``` --- ### Lab 4: Dynamic VLAN Assignment **Switch Configuration:** ```cisco hostname Switch ! aaa new-model ! radius server RADIUS1 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 key CiscoISE123 ! aaa group server radius RADIUS-GROUP server name RADIUS1 ! aaa authentication dot1x default group RADIUS-GROUP ! dot1x system-auth-control ! interface FastEthernet0/1 switchport mode access authentication port-control auto dot1x pae authenticator ! ! RADIUS returns VLAN attribute: ! Tunnel-Private-Group-ID = VLAN ID ! end ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **802.1X Components** | Supplicant (client), Authenticator (switch), Authentication Server (RADIUS) | | **EAP Types** | EAP-TLS (certificates), PEAP (password in TLS tunnel) | | **MAB** | MAC address authentication for non-802.1X devices | | **Port States** | Unauthorized, Authorized, Force-Authorized, Force-Unauthorized | | **RADIUS** | UDP 1812/1813, used as authentication server | | **Dynamic VLAN** | RADIUS returns VLAN assignment | ### Common Exam Scenarios: **Scenario 1:** "A printer needs to connect to a switch port that uses 802.1X. The printer doesn't support 802.1X. Which feature should be enabled?" - **Answer:** MAB (MAC Authentication Bypass) **Scenario 2:** "Which EAP method uses mutual certificate authentication?" - **Answer:** EAP-TLS **Scenario 3:** "What is the role of the authenticator in 802.1X?" - **Answer:** The switch acts as the authenticator, controlling port access and relaying messages between supplicant and authentication server. ### Mnemonics: **802.1X Components:** **"S.A.S." - Supplicant, Authenticator, Server** - **S**upplicant: Client requesting access - **A**uthenticator: Switch controlling access - **S**erver: RADIUS validating credentials **EAP Methods Security:** **"TLS Strong, PEAP Stronger, MD5 Weak"** - EAP-TLS: Strong (certificates) - PEAP: Strong (tunneled) - EAP-MD5: Weak --- ## π Summary (1-Minute Revision) ``` 802.1X PORT-BASED AUTHENTICATION: COMPONENTS: βββ Supplicant: Client device (PC, phone, printer) βββ Authenticator: Switch, WLC (controls port access) βββ Authentication Server: RADIUS (validates credentials) EAP METHODS: βββ EAP-MD5: Username/password (weak) βββ PEAP: TLS tunnel + inner auth (strong) βββ EAP-TLS: Mutual certificates (strongest) βββ EAP-FAST: Cisco proprietary PORT STATES: βββ Unauthorized: Only EAPoL allowed βββ Authorized: All traffic allowed βββ Force-Authorized: Always open βββ Force-Unauthorized: Always blocked CONFIGURATION: βββ aaa new-model βββ radius server [name] βββ aaa authentication dot1x default group [name] βββ dot1x system-auth-control βββ interface [int] βββ authentication port-control auto βββ dot1x pae authenticator MAB (MAC Authentication Bypass): βββ mab (on interface) βββ authentication order dot1x mab βββ authentication event no-response action authorize mab DYNAMIC VLAN: βββ RADIUS returns Tunnel-Private-Group-ID VERIFICATION: βββ show dot1x interface [int] βββ show authentication sessions βββ show authentication interface [int] βββ debug dot1x events ``` --- ## π§ͺ Practice Questions **1. What are the three components of 802.1X?** - A) Client, Server, Switch - B) Supplicant, Authenticator, Authentication Server - C) User, Device, Network - D) PC, Router, Firewall <details> <summary>Answer</summary> <b>B) Supplicant, Authenticator, Authentication Server</b> - The three components of 802.1X architecture. </details> **2. Which EAP method uses mutual certificate-based authentication?** - A) EAP-MD5 - B) PEAP - C) EAP-TLS - D) LEAP <details> <summary>Answer</summary> <b>C) EAP-TLS</b> - EAP-Transport Layer Security uses mutual certificate authentication. </details> **3. Which protocol does 802.1X use between the supplicant and authenticator?** - A) RADIUS - B) EAPoL - C) TACACS+ - D) LDAP <details> <summary>Answer</summary> <b>B) EAPoL</b> - EAP over LAN is used between supplicant and authenticator. </details> **4. What is MAB (MAC Authentication Bypass) used for?** - A) Bypass authentication for administrators - B) Authenticate devices that don't support 802.1X - C) Bypass MAC address filtering - D) Authenticate using certificates <details> <summary>Answer</summary> <b>B) Authenticate devices that don't support 802.1X</b> - MAB uses MAC address for authentication. </details> **5. Which command enables 802.1X globally on a Cisco switch?** - A) `dot1x enable` - B) `dot1x system-auth-control` - C) `aaa dot1x enable` - D) `authentication dot1x` <details> <summary>Answer</summary> <b>B) `dot1x system-auth-control`</b> - Enables 802.1X globally on the switch. </details> **6. What is the default port state before authentication?** - A) Authorized - B) Unauthorized - C) Force-Authorized - D) Force-Unauthorized <details> <summary>Answer</summary> <b>B) Unauthorized</b> - Port starts in unauthorized state until authentication succeeds. </details> **7. Which protocol does the authenticator use to communicate with the authentication server?** - A) EAPoL - B) RADIUS - C) TACACS+ - D) LDAP <details> <summary>Answer</summary> <b>B) RADIUS</b> - RADIUS is used between authenticator and authentication server. </details> **8. What is the purpose of a guest VLAN?** - A) Allow authenticated users access - B) Provide limited access for unauthenticated devices - C) Block all traffic - D) Enable MAB <details> <summary>Answer</summary> <b>B) Provide limited access for unauthenticated devices</b> - Guest VLAN isolates unauthenticated devices. </details> **9. Which command configures the authentication order to try 802.1X first, then MAB?** - A) `authentication order dot1x mab` - B) `authentication priority dot1x mab` - C) `dot1x order dot1x mab` - D) `mab order dot1x` <details> <summary>Answer</summary> <b>A) `authentication order dot1x mab`</b> - Sets the order of authentication methods. </details> **10. What is the default RADIUS authentication port?** - A) UDP 1645 - B) UDP 1812 - C) TCP 49 - D) UDP 1813 <details> <summary>Answer</summary> <b>B) UDP 1812</b> - RADIUS authentication uses UDP port 1812 (RFC compliant). </details> **11. Which command displays active authentication sessions?** - A) `show dot1x` - B) `show authentication sessions` - C) `show auth` - D) `show sessions` <details> <summary>Answer</summary> <b>B) `show authentication sessions`</b> - Displays active authenticated sessions. </details> **12. What does PEAP use to protect the inner authentication?** - A) MD5 hash - B) TLS tunnel - C) Clear text - D) Certificate only <details> <summary>Answer</summary> <b>B) TLS tunnel</b> - PEAP establishes a TLS tunnel before sending credentials. </details> --- ## π Next Steps After completing Video 38, you should be ready for: - **Video 39:** VPN Configuration (Review and Advanced) - **Video 40:** Firewall Technologies **Lab Practice:** 1. Configure basic 802.1X on a switch 2. Set up a RADIUS server (FreeRADIUS or Windows NPS) 3. Configure 802.1X supplicant on a PC 4. Test authentication and verify with `show authentication sessions` 5. Configure MAB for a printer 6. Configure dynamic VLAN assignment 7. Test guest VLAN fallback 8. Troubleshoot authentication failures --- **Ready for Video 39?** Share the link or say "next" and I'll continue with VPN Configuration (Review and Advanced). I'll continue with **Video 39: VPN Configuration (Review and Advanced)** based on the standard CCNA 200-301 curriculum. ---